Lab 10.2 Actually - JadenGil/Jaden-Tech-Journal GitHub Wiki

Starting Off:

to start off the assignment it's important to find the IP address that Nancinir is running on. I did this by using the NSLOOKUP command as always. At its point it is easy to assume that the host website will fall under "shire.org" so I r+an the command nslookup nancinir.shire.org 10.0.5.22 to find that is running off of the IP address 10.0.5.28. It is important to use the DNS server 10.0.5.22 in this case as this is the DNS that most of the other servers have fallen under.

image

This is the webpage:

image

Getting the Open Ports:

To do this it is done the same way as the other labs using NMAP. I used the command nmap -A -sV 10.0.5.28 in this instance and found the only open port is 80:

image

Finding Nancinir Vulnerabilities:

Just like the other labs dirb is our best friend here and we can use the command dirb HTTP://10.0.5.28/ by doing this you can see that there is phpmyadmin on the server and that that will most likely be our ticket to exploitation. After doing research on the exploit-db I was able to find a few Exploits on phpmyadmin ver. 4.8.1 but discovered that they're all the same with slightly different documentation so I will list the one I used here:

https://www.exploit-db.com/exploits/50457

Now that I know these exploits I can utilize the searchsploit command in kali:

image

Once I found this I went to this page and was presented with this:

image

Because of the other page I was able to find that the username is obviously gandalf but the password is a bit tricky to find if you don't know where to look but it is also hidden just below the surface on the main page. Just inspect the page and there should be a keyword that pops out

image

Use those as the username and password and you're in. Super easy!

image

Gaining a Foothold

Once you're logged in it's fairly easy to gain a foothold

You'll first want to enter MySQL:

image

Scroll down to "user"

image

and edit "root"

image

When in editing mode you just need to scroll a bit and you'll find a hashed password in a section called "authentication_string"

image

To unhash this I used the command john --wordlist=/usr/share/wordlist/rockyou.txt gandalfhash.txt and got this output:

image

after doing this you'll want to make a backdoor on the network. I achieved this by using weevely

image

Started a server using python:

image

image

Got in using weevely:

image

Admin Access Time:

Enter this super long command on the CMD where you're logged into weevley already:

image

But not before running nc -nlvp 4449 on a different CMD

When you run that command you'll get presented with this on the other CMD

image

From here you'll want to su into gandalf

image

when you log in run cd to get out of phpmyadmin and then ls and you'll find the flag

image

image

Root flag:

image